I have configured the SSL configuration for my jboss.
-Djavax.net.ssl.keyStore=/opt/appserver/jboss5.1/test.jks
-Djavax.net.ssl.keyStorePassword=*********
-Djavax.net.ssl.trustStore=/opt/appserver/jboss5.1/test.jks
-Djavax.net.ssl.trustStorePassword=*******
I am using the spring integration to connect to restservice, the ssl certificate is getting passed for some request and it is not getting passed for some other request, Any idea why the certificate will not be passed for one request?
It is the servers responsibility to request the client to send a certificate during mutual authentication.
When you have time, verify that the server has the ssl 'clientAuth' attribute set 'true' for all the urls that you want mutual authentication (client authentication).
Related
I have a server as rest API in spring boot and client is Rest Template present in another spring boot application. Currently, in order to enable https,I have configured server.ssl related properties inside application.proeprties file of server like keystore and truststore details. (It's 2Way SSL)
I want my server to reject expired certificate presented by client.Currently, server is not checking validity date of client certificate automatically.
I am using keystore and truststore in jks format.
How to reject expired client certificates??? I am not able to find code.
I am writing a NodeJS proxy that will replace a Java Jetty Proxy. I am using node-http-proxy. The only piece remaining is to have the original client certificate passed along to the proxied server.
From my understanding, the Java Servlet specification requires that a Servlet container pull the Client Certificate from an HTTPS request and store that as an attribute on the HttpServletRequest.
I am not sure how the Servlet Container handles the Attributes when proxying the request to a new server. I presume that it is attaching them somehow either as headers or by some other means.
Does anyone know how those attributes (specifically the javax.servlet.request.X509Certificate) are passed on a proxied HTTPS request? And two, how do I achieve the same functionality using NodeJS.
In the event that is helps someone else out... The issue turned out to be the node module I was using (node-http-proxy) wasn't reusing the HTTP server connection certificates. That is, when attempting to create a connection with the proxy server, it was using a default (generated) certificate.
To properly connect with the proxy server, I had to pass the ca, pfx, and passphrase to the proxy connector.
const ca = ...
const pfx = ...
const passphrase = ...
// proxy connection
server.web(req, res, { ca: ca, pfx: pfx, passphrase: passphrase }, function(err) {});
After doing so, the Proxy server was able to pull and validate the certificate.
I am writing a java rest-client to fetch data from the web App. I am trying to use client authentication(login using client certificate) mechanism using spring's RestTemplate to get authenticated on server.
Here are the steps that I did.
Server side:
Configure the web server to allow certificate based login. Set "clientAuth"= "want" in server.xml
Create a clients x509 certificate and add it into servers truststore.
Client Side
Initialize RestTemplate with clients trustStore and keyStore. For this I used org.apache.commons.httpclient.contrib.ssl.AuthSSLProtocolSocketFactory.
AuthSSLProtocolSocketFactory is initialized with client keystore in PKCS12 format, and client truststore (jks format).
Code looks like this:
CommonsClientHttpRequestFactory factory = (CommonsClientHttpRequestFactory) restTemplate.getRequestFactory();
HttpClient client = factory.getHttpClient();
client.getState().setAuthenticationPreemptive(false);
Protocol myHttps = new Protocol(HTTPS, secureProtocolSocketFactory, DEFAULT_HTTPS_PORT);
Protocol.registerProtocol(HTTPS, myHttps);
client.getHostConfiguration().setHost("localhost", DEFAULT_HTTPS_PORT, myHttps);
When I am making rest calls into server I am expecting the request to get authenticated by certificate. But I am getting http 403-forbidden error. It seems that restTemplate is trying to authenticate the request by basicCredentials, where my intent is to authenticate using certificate.
Following is the output logged by http client:
MultiThreadedHttpConnectionManager:390 - HttpConnectionManager.getConnection: config = HostConfiguration[host=https://<server-ip>], timeout = 0
MultiThreadedHttpConnectionManager$ConnectionPool:739 - Allocating new connection, hostConfig=HostConfiguration[host=<server-ip>]
HttpMethodDirector:160 - Preemptively sending default basic credentials
HttpMethodDirector:277 - Authenticating with BASIC <any realm>#<server-ip>:443
HttpMethodParams:355 - Credential charset not configured, using HTTP element charset
HttpConnection:691 - Open connection to 10.112.253.152:443
HttpMethodBase:1235 - Adding Host request header
RestTemplate:559 - GET request for "https://<server-ip>:443/url/" resulted in 403 (Forbidden)
Is there anything else that needs to be configured on RestTemplate to get authenticated using client certificate?
Background
I have a .NET console application client that consumes a Java RESTful Service with TLS Client Authentication enabled (aka Mutual Authentication).
It should be the reverse of this SSL Socket between .Net and Java with client authentication
Problem
I am always getting this error: Could not establish trust relationship for the SSL/TLS secure channel
I have no idea how to configure this correctly both on the client and server.
Steps Performed
The .NET console application is already including the CA, intermediate, and server certificates but the same error is being thrown.
I provided the server a Certificate Signing Request (CSR).
The server signed and provided a signed certificate back to me. The signed certificate is being included in the communications between the client and the server. However, the same error is being thrown.
Can anyone enlighten me on how to get a successful handshake?
This has been resolved.
Here are the steps:
Create a Certificate Signing Request (CSR).
Have the CSR signed by the server.
Get the signed certificate.
Include the signed certificate in the HTTP request.
Make sure to put the Self-Signed CA Certificate in the Local Computer's Trusted Root CA store.
Troubleshooting steps in order (do not skip if a certain step is not successful):
Test with HTTP
Test with HTTPS (one-way authentication)
Test with HTTPS (mutual authentication)
How to configure TOMCAT to make the browser show the installed certificates (A3; token USB) when a URL (servlet) is called?
I will retriev the X509 certificate on the servlet request parameter.
Your question is a bit difficult to understand, but I'm guessing that you want tomcat to request a certificate from a client.
If this is the case, then you will want to enable what is called mutual authentication in tomcat.
You will have to set the clientAuth attribute of your tomcat ssl connector to either want or true. The ssl connector will be found in your tomcat server.xml file.
'want' asks the client to send a certificate if it has one, but the request will go though if the client doesn't have a certificate and 'true' means the client is required to send a certificate and the request will fail if the client does not provide a certificate.
More information can be found on the tomcat website:
SSL/TLS Configuration HOW-TO